Controlling access to electronic resources based on a user&#39;s sociometric identification document

ABSTRACT

A method establishes a session between a network resource and a user device used by a user having a particular sociometric identity. One or more processors identify an interaction between a user and one or more provider entities. The processor(s) identify profiles for the one or more provider entities, and compute a sociometric identity of the user based on the profiles of the one or more provider entities with which the user has had an interaction. One or more processors transmit the sociometric identity to a network resource in order to establish a session between the network resource and a user device used by the user having the sociometric identity.

BACKGROUND

The present disclosure relates to the field of computers, andparticularly to computers that communicate via a network. Moreparticularly, the present disclosure relates to authentication ofcomputers that communicate via a network.

Computer resources include hardware (e.g., servers, storage devices,printers, etc.) as well as software (e.g., applications, databases,etc.). Such computer resources may be on a network, thus allowing remoteaccess by a user, or local, such that the user is able to directlyaccess the computer resources.

In order to access such computer resources, the user is often requiredto identify himself/herself, in order to allow the system to keep arecord of which user accesses the computer resources, to ensure thatonly authorized users are accessing the computer resources, to challengethe user (e.g., for security purposes), etc.

However, if the user simply identifies himself/herself with a name(e.g., a given name, a name of an email address, etc.), then there islittle security. That is, it is a trivial process for anunauthorized/improper user to simply lie about his/her name whenaccessing such computer resources. Therefore, various types of securitymeasures can be taken.

For example, the user may be required to identify himself/herself with apassword or token. But a password or token is may be easy for the userto forget, and for improper parties to steal.

The user may be required to identify himself/herself by presenting abiometric signature (e.g., a fingerprint, retina scan, etc.), but thisrequires additional hardware (biometric scanners).

The user may be associated with the computer from which he/she isworking (e.g., as identified by an internet protocol (IP) address or amedia access control (MAC) address or a universal unique identifier(UUID) for that computer). However, this only identifies the computer,not the user.

Thus, the prior art does not truly identify “who” the user is. Rather,the “identity” of the user in the prior art is based on the user's givenname, the user's password, the user's biometrics, or the user'scomputer. None of these items provide a true identity of the user,particularly when accessing various computer resources.

SUMMARY

In one or more embodiments of the present invention, a methodestablishes a session between a network resource and a user device usedby the user having a particular sociometric identity. One or moreprocessors identify an interaction between a user and one or moreprovider entities. The processor(s) identify profiles for the one ormore provider entities, and compute a sociometric identity of the userbased on the profiles of the one or more provider entities with whichthe user has had an interaction. One or more processors transmit thesociometric identity to a network resource in order to establish asession between the network resource and a user device used by the userhaving the sociometric identity.

In one or more embodiments of the present invention, the method isimplemented as a computer program product and/or in a system.

In an embodiment of the present invention, a time period in which theinteraction between the user and the one or more provider entitiesoccurs is used to limit a lifetime of the sociometric identity.

In an embodiment of the present invention, one or more processorsrecursively examine the profiles for the one or more provider entitiesuntil the sociometric identifier is confirmed for the user.

In an embodiment of the present invention, one or more processorsconstruct a social graph that includes a user node for the user linkedto provider entity nodes for the one or more provider entities. The usernode and the one or more provider entity nodes are connected by pairs ofstatic edges and dynamic edges, where the static edges include staticmetadata that describes a relationship between the user node and the oneor more provider entity nodes, and where the dynamic edges includedynamic metadata that describes actions and interactions between theuser and the one or more provider entities. One or more processorsperform a depth-first search of the social graph in order to traverseall nodes in the social graph, and then hash the sociometric identitywith the static metadata and the dynamic metadata for all nodes in orderto create a sociometric identity hash value, and then store thesociometric identity of the user at a location, in a sociometricidentity table, that is identified by the hash value.

In an embodiment of the present invention, one or more processorsconstruct a social graph that includes a user node for the user linkedto provider entity nodes for the one or more provider entities. The usernode and the provider entity nodes are connected by pairs of staticedges and dynamic edges, where the static edges include static metadatathat describes a relationship between the user node and the providerentity nodes, and where the dynamic edges include dynamic metadata thatdescribes actions and interactions between the user and the one or moreprovider entities. One or more processors partition the social graphinto multiple digests, including a first digest that is composed of theuser node and a first set of provider entity nodes, and a second digestthat is composed of the user node and a second set of provider entitynodes. One or more processors compare the first digest to the seconddigest in order to determine a percentage of matching static and dynamicmetadata between the first digest and the second digest. In response tothe percentage of matching static and dynamic metadata between the firstdigest and the second digest exceeding a predefined value, one or moreprocessors confirm the sociometric identity of the user as a confirmedsociometric identity. One or more processors then store the confirmedsociometric identity in a digest store, where the digest store uses akey value pair table that associates the sociometric identity of theuser with the first digest.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an exemplary system and network in which the presentdisclosure may be implemented;

FIG. 2 illustrates a graph showing a relationship between a sociometricidentity that is defined by various user interactions and/or activitiesin accordance with one or more embodiments of the present invention;

FIG. 3 depicts an exemplary set of activities, interactions, histories,profiles, and/or devices provided by provider entities in order tosupply information used to compute a sociometric ID for a user inaccordance with one or more embodiments of the present invention;

FIG. 4 illustrates an overview of how sociometric identificationdocuments (sIDs) are used to identify a user in accordance with one ormore embodiments of the present invention;

FIG. 5 depicts an exemplary interaction graph that includes a user nodeand one or more provider entity nodes in accordance with one or moreembodiments of the present invention;

FIG. 6 is a high-level flowchart depicting how sociometric IDs (sIDs)are computed, updated, distributed, and verified in accordance with oneor more embodiments of the present invention;

FIG. 7 illustrates a sociometric ID provider obtaining information abouta user for use in generating a sociometric ID in accordance with one ormore embodiments of the present invention;

FIG. 8 depicts a method for computing a sociometric ID in accordancewith one or more embodiments of the present invention;

FIG. 9 is a high-level flow chart of one or more steps performed by oneor more processors to computer a sociometric identification document(sID) in accordance with one or more embodiments of the presentinvention;

FIG. 10 is a high level flow chart of a process for computing,distributing, and verifying an sID in accordance with one or moreembodiments of the present invention;

FIG. 11 is a high level flow chart of one or more steps performed by oneor more embodiments of the present invention to generate and utilize ansID;

FIG. 12 depicts a cloud computing environment according to an embodimentof the present invention; and

FIG. 13 depicts abstraction model layers of a cloud computingenvironment according to an embodiment of the present invention.

DETAILED DESCRIPTION

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java, Smalltalk, C++ or the like,and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

With reference now to the figures, and in particular to FIG. 1, there isdepicted a block diagram of an exemplary system and network that may beutilized by and/or in the implementation of the present invention. Someor all of the exemplary architecture, including both depicted hardwareand software, shown for and within computer 101 may be utilized bysociometric ID provider 106 and/or software deploying server 149 and/orother systems 155 shown in FIG. 1.

Exemplary computer 101 includes a processor 103 that is coupled to asystem bus 105. Processor 103 may utilize one or more processors, eachof which has one or more processor cores. A video adapter 107, whichdrives/supports a display 109 (which may be a touch-screen displaycapable of detecting touch inputs onto the display 109), is also coupledto system bus 105. System bus 105 is coupled via a bus bridge 111 to aninput/output (I/O) bus 113. An I/O interface 115 is coupled to I/O bus113. I/O interface 115 affords communication with various I/O devices,including a keyboard 117, a mouse 119, a media tray 121 (which mayinclude storage devices such as CD-ROM drives, multi-media interfaces,etc.), and external USB port(s) 125. While the format of the portsconnected to I/O interface 115 may be any known to those skilled in theart of computer architecture, in one embodiment some or all of theseports are universal serial bus (USB) ports.

As depicted, computer 101 is able to communicate with a softwaredeploying server 149 and/or other devices/systems using a networkinterface 129. Network interface 129 is a hardware network interface,such as a network interface card (NIC), etc. Network 127 may be anexternal network such as the Internet, or an internal network such as anEthernet or a virtual private network (VPN). In one or more embodiments,network 127 is a wireless network, such as a Wi-Fi network, a cellularnetwork, etc.

A hard drive interface 131 is also coupled to system bus 105. Hard driveinterface 131 interfaces with a hard drive 133. In one embodiment, harddrive 133 populates a system memory 135, which is also coupled to systembus 105. System memory is defined as a lowest level of volatile memoryin computer 101. This volatile memory includes additional higher levelsof volatile memory (not shown), including, but not limited to, cachememory, registers and buffers. Data that populates system memory 135includes computer 101's operating system (OS) 137 and applicationprograms 143.

OS 137 includes a shell 139, for providing transparent user access toresources such as application programs 143. Generally, shell 139 is aprogram that provides an interpreter and an interface between the userand the operating system. More specifically, shell 139 executes commandsthat are entered into a command line user interface or from a file.Thus, shell 139, also called a command processor, is generally thehighest level of the operating system software hierarchy and serves as acommand interpreter. The shell provides a system prompt, interpretscommands entered by keyboard, mouse, or other user input media, andsends the interpreted command(s) to the appropriate lower levels of theoperating system (e.g., a kernel 141) for processing. While shell 139 isa text-based, line-oriented user interface, the present invention willequally well support other user interface modes, such as graphical,voice, gestural, etc.

As depicted, OS 137 also includes kernel 141, which includes lowerlevels of functionality for OS 137, including providing essentialservices required by other parts of OS 137 and application programs 143,including memory management, process and task management, diskmanagement, and mouse and keyboard management.

Application programs 143 include a renderer, shown in exemplary manneras a browser 145. Browser 145 includes program modules and instructionsenabling a world wide web (WWW) client (i.e., computer 101) to send andreceive network messages to the Internet using hypertext transferprotocol (HTTP) messaging, thus enabling communication with softwaredeploying server 149 and other systems.

Application programs 143 in computer 101's system memory (as well assoftware deploying server 149's system memory) also include a Programfor Generating and Utilizing a Sociometric Identification Document(PGUSID) 147. PGUSID 147 includes code for implementing the processesdescribed below, including those described in FIGS. 2-11. In oneembodiment, computer 101 is able to download PGUSID 147 from softwaredeploying server 149, including in an on-demand basis, wherein the codein PGUSID 147 is not downloaded until needed for execution. In oneembodiment of the present invention, software deploying server 149performs all of the functions associated with the present invention(including execution of PGUSID 147), thus freeing computer 101 fromhaving to use its own internal computing resources to execute PGUSID147.

The hardware elements depicted in computer 101 are not intended to beexhaustive, but rather are representative to highlight essentialcomponents required by the present invention. For instance, computer 101may include alternate memory storage devices such as magnetic cassettes,digital versatile disks (DVDs), Bernoulli cartridges, and the like.These and other variations are intended to be within the spirit andscope of the present invention.

As used herein, the terms “ID” and/or “identification document” aredefined as an electronic document that identifies a particular user. Theterm “sociometric ID” is defined as an ID that identifies a particularuser according to the activities and interactions of that user asdescribed herein.

As described herein, the sociometric ID is not based on what a personhas or what the person's name is or what the person's password is, butrather is based on what the person does and/or has done. That is, thesociometric ID identifies the person based on what he/she does, whichprovides a true identification of who the person really is. This “trueidentity” is difficult, if not impossible, to fake, thus leading to asociometric ID that is more trustworthy than a name, password, etc.

With reference now to FIG. 2, an exemplary graph 200 shows arelationship between a sociometric identification document (sociometricID) (depicted in block 202) that is defined from the user's profile incombination with the user's various user interactions and/or activities(in accordance with one or more embodiments of the present invention).That is, the novel sociometric ID in graph 200 is derived from acombination of the user's profile and personal details (depicted inblock 204), such as a particular user's name, education, statedinterests, etc. with that user's interactions with various providerentities.

For example, the user may have a history of professional connections andinteractions (block 206). That is, the user may be on a social mediawebsite that is tailored to a particular occupation, or the user may bea member of a professional organization for a specific occupation. Theprovider entity is thus the social media service and/or organizationthat provide such memberships and interactions.

Furthermore, the user may have a history of social connections andinteractions (block 208). That is, the user may be on a social mediawebsite that is tailored to persons having similar interests or personswho simply want to be part of an on-line community of persons havingvaried interests, backgrounds, etc. The provider entity in this exampleis thus the social media service that supports such social mediawebsites.

Furthermore, the user may have a history of activity on the Internet(i.e., a Browser history) that shows which websites the user has visitedonline, as shown in block 210.

Furthermore, the user may have a history of certain email activity(block 212). That is, the user may have an email history of email havinga certain subject line, being exchanged with certain persons, being sentat certain times of the day, etc.

Furthermore, the user may have a history of interacting with an Internetof Things (IoT) devices (block 214), such as other systems 155 shown inFIG. 1. That is, the user may use a computer (e.g., computer 101 shownin FIG. 1) that interacts with devices that are equipped with monitoringsensors, etc. (e.g., other systems 155 shown in FIG. 1), thus providinga fabric of devices that communicate with one another.

Thus, the sociometric ID shown in block 202 in graph 200 is the resultof a particular user engaging in one or more of the activities and/orinteractions shown in graph 200. That is, the present inventiongenerates a unique sociometric ID for a particular user based on whatthat user does, rather than that person's physical traits (biometrics),what that person has (e.g., is using a particular system, dongle, etc.),or what that person knows (e.g., a password). Rather, that person/useris given an identity that is based on what that person has done(activities/interactions) with the provider entities that are associatedwith activities/interactions described in blocks 206-214.

In one or more embodiments of the present invention, the sociometric IDis dependent upon a frequency of interaction/activities. For example, ifa first user connects to a particular social media website once an hour,while another user connects to (the same or different) social mediawebsite once a month, this disparity in frequency is used to assigndifferent sociometric IDs to the first user and the second user.

In one or more embodiments of the present invention, the derivation ofthe sociometric ID is an evolving dynamic activity rather than a staticaction. That is, rather than assigning a user a particular sociometricID at a fixed point in time (based on activities and interactions up tothat point in time), in one or more embodiments of the present inventionthe sociometric ID is periodically and/or continuously updated, in orderto refine the sociometric ID. For example, assume that an initialsociometric ID is created for a user based on that user accessinghis/her social media webpage once a month. However, after that initialsociometric ID is created, assume that this same user has beenexchanging daily emails with an entity from another social media websitefor a year, and no longer is visiting the social media webpage. As such,the sociometric ID will be updated to show that this user is no longeridentified as a person who uses the social media webpage, and is nowengaged in a relationship with the entity from the other social mediawebpage.

In one or more embodiments of the present invention, there are mutuallydependent sociometric IDs. For example, assume that user A and user Bare exchanging daily emails. As such, the sociometric IDs will beinitially created and/or updated for both user A and user B based onthis interaction.

With reference now to FIG. 3, an exemplary set of activities,interactions, histories, profiles, and/or devices provided by providerentities in order to supply information used to compute a sociometric IDfor a user in accordance with one or more embodiments of the presentinvention is presented.

For example, as shown in block 301, the user's social behavior andfootprint may be captured. Some of this behavior and footprint iscaptured from social media websites, which may be profession-based orpurely social-based. This social behavior may also be inferred by theuser's membership in certain organizations (e.g., membership in asailing club indicates that the user is a sailor). The social footprintmay also be derived from social activities (e.g., attending a swimmeet), authorship (e.g., publishing a paper on a certain topic or havinga web log (blog) devoted to a certain topic), etc. Thus, the socialnetwork is the provider entity that provides sociometric informationabout the user.

As shown in block 303, the user's transportation/travel footprint may becaptured. For example, the type of air and public travel taken by theuser may be captured from a carrier reservation system. Similarly,pedestrian routes taken by the user can be captured from a positioningsystem (e.g., a global positioning system—GPS) within a smartphonecarried by the user while walking to work, running on a trail, etc.These records may be of places, times, durations, etc. of the traveltaken by the user. Thus, the carrier reservation system and/or GPSsystem in the smartphone are the provider entity that providessociometric information about the user.

As shown in block 305, sensors on various devices may capture data aboutthe devices and their environment, which are then shared by and amongthe devices. That is, these devices are able to communicate theiractivities and states with one another, and are known collectively as anInternet of Things (IoT). For example, assume that a user has a truckand a chainsaw (as identified by universally unique identifier (UUID)chips on each of the truck and chainsaw). Each of the truck and thechainsaw has a sensor and communication system (e.g., a cellulartransceiver). Assume further that a sensor on the chainsaw shows thatthe chainsaw has been used to cut up trees/branches (and when).Positioning sensors on the truck show that after the user has used thechainsaw to cut up the trees/branches, he/she drives the truck to arecycling center, and unloads the trees/branches into a chipper (whichalso has sensors/transceivers and is also part of the IoT). Thiscombination of information from the IoT is used to identify the user asa person who 1) handles his/her own major landscaping maintenance and 2)is environmentally conscious, in order to develop his/her sociometricidentity. Thus, the IoT is the provider entity that provides sociometricinformation about the user.

As shown in block 307, educational details about the user are suppliedby a server operated by an educational entity (high school, university,trade school, etc.), to include grade transcripts, certifications,diplomas, etc. earned by a user. Thus, this education entity is theprovider entity that provides sociometric information about the user.

As shown in block 309, a web footprint shows which websites have beenvisited by the user, how frequently each website is visited by the user,and what time of the day/week/month/year each website is visited by theuser. This information is maintained by a browser that is used by theuser. Thus, this browser (and/or the webpage server) is the providerentity that provides sociometric information about the user.

As shown in block 311, an email footprint shows a history of emails, towhom they are received and sent, how frequently they are sent/receivedgenerally (to and from any party) or specifically (to and from aparticular entity), the subjects of the emails, what time of theday/week/month/year each email is exchanged, etc. This information ismaintained by an email program that is used by the user. Thus, thisemail program (and/or the email server) is the provider entity thatprovides sociometric information about the user.

As shown in block 313, what mobile devices are used by a user and howthey are used provides additional information about the user. Forexample, assume that the user has a smartphone and a tablet computer.The applications loaded on such devices, how the user utilizes them(e.g., how often and for what purpose), where the devices are used, etc.provide additional sociometric information about the user. Thus, thesemobile device(s) define the provider entity that provides sociometricinformation about the user.

Collectively, elements 301-313 shown in FIG. 3 are exemplary providerentities 315. However, in order to create the sociometric ID for theuser in one or more embodiments of the present invention, otherinformation is also incorporated into the sociometric ID. For example,the sociometric ID may include a photograph, biometric sensor readings,etc. of the user (block 317), a name, handwritten signature, etc. of theuser (block 319), etc.

As shown in FIG. 3, some or all of the information described for blocks301-319 are then incorporated into a computer (e.g., computer 101 shownin FIG. 1), which computes a preliminary ID (ID(u) for user ‘u’) for theuser (e.g., using information from blocks 317-319), as shown in block321. The system then augments/refines this preliminary ID using theinformation from the provider entities described with blocks 301-315 tocreate the sociometric ID (sID) for the user, as shown in block 323.Additional details of how this sID is generated are described below.

With reference now to FIG. 4, an overview of how sociometric IDs areused to identify a user is presented.

Assume that a user is represented by the block showing user 400. Asshown in line 401, the user first obtains a sociometric ID specific forthat user from a sociometric ID provider 406 (e.g., a server, database,etc. that stores sociometric IDs). That is, sociometric ID provider 406is an exemplary identity providing server that performs one or more ofthe processes/steps described herein. In one or more embodiments of thepresent invention, the user will not know initially what his/hersociometric ID is. Therefore, the sociometric ID provider 406 will referto a lookup table to match a non-sociometric ID (e.g., a first name andlast name of the user, an email address of the user, etc.) to thesociometric ID (that was generated using the process introduced above inFIG. 3).

As shown in line 402, the sociometric ID retrieved by the user 400 (seeline 401) is provided to a bank 410, as shown in line 402. The bank thenconnects to the sociometric ID provider 406 (as shown by line 403) ordirectly (as not shown) to one or more of the provider entities, such associal media 408 (e.g., a social media service that provides informationabout the social connections and interactions described in block 208shown in FIG. 2), email 412 (e.g., an email server that provides emailinformation about the user's email activity described in block 212 shownin FIG. 2), and/or IoT nest 414 (e.g., a network of intercommunicatingdevices (IoT) that provide information about how the user interacts withsuch devices as described in block 214 shown in FIG. 2).

In one or more embodiments of the present invention, the sociometric IDprovider 406 is a computer (e.g., sociometric ID provider 106 shown inFIG. 1) that generates initial versions of the sociometric ID (sID)based on a user's interactions with the provider entities (e.g.,provider entities 315 shown in FIG. 3 and/or elements 408, 412, and/or414 shown in FIG. 4). Likewise, sociometric ID provider 406 also updatesthe sID based on subsequent user interactions with the providerentities.

Assume that the bank 410 is communicating with sociometric ID provider406 as depicted by line 403. If the bank 410 mentions in thecommunication that part of the sociometric ID has been derived fromactivities with social media 408, then the sociometric ID provider 406will connect the user 400 to social media 408, since that sociometric IDis tailored for communications with social media 408. That is, since thesociometric ID is derived from past interactions with social media 408,then user 400 and social media 408 have “a history with one another”,and so sociometric ID provider 406 will enable a session between user400 (and/or bank 410) and social media 408 to occur.

In one or more embodiments in which bank 410 and sociometric ID provider406 act as intermediaries between user 400 and social media 408, email412, and/or nest (IoT) 414, bank 410 will verify user 400's preliminaryID by asking a security question, asking for a password, etc., asdepicted in line 404.

The elements in FIG. 4 may be considered graph nodes. For purposes ofclarity, some of the nodes shown in FIG. 4 are expressly depicted in theinteraction graph 501 that is constructed and shown in FIG. 5.

As shown in FIG. 5, user node 500 (for user 400 shown in FIG. 4) isconnected to a social media node 508 (for the social media 408 describedin FIG. 4), an email node 512 (for the email 412 described in FIG. 4),and a nest (IoT) node 514 (analogous to nest (IoT) 414 shown in FIG. 4).Each connection includes a static edge (from static edges 503 a-503 c)and a dynamic edge (from dynamic edges 505 a-505 c). These static edgesand dynamic edges are not only represented in the interaction graph 501,but are also identified (e.g., in communication packet headers) betweenthe user device (e.g., computer 101 shown in FIG. 1) and other systems(e.g., other systems 155 shown in FIG. 1) that are used by the variousprovider entities.

The static edges 503 a-503 c include static metadata that describes arelationship between the user node 500 and the one or more providerentity nodes. For example, static edge 503 a may simply state that user500 is a member of the group of persons who make up the social medianetwork depicted as social media 508.

Dynamic edges 505 a-505 c describe actions and interactions between theuser 500 and the one or more provider entities. For example, dynamicedge 505 a may describe how often user 500 accesses the social media508, what types of actions are performed by user 500 (e.g., if socialmedia 508 advertises a service, does user 500 ever purchase such aservice from social media 508), etc.

With reference now to FIG. 6, flowchart 600 depicts an overview of howsociometric IDs (sIDs) are computed, updated, distributed, and verified.

As shown in block 602, the sID is initially created (e.g., bysociometric ID provider 406 shown in FIG. 4) from information derivedfrom a user's interactions and actions with various provider entities,as described in FIG. 2-FIG. 5 and/or other figures herein.

As depicted in block 604, the sID is updated (e.g., by sociometric IDprovider 406 shown in FIG. 4) according to interactions and actions withthe various provider entities subsequent to the initial sID's creation.This updated sID 606 is then distributed (e.g., to the bank 410 shown inFIG. 4), as depicted in block 608. As described in FIG. 4, the sIDand/or the user's initial ID (e.g., name, password, etc.) may also beverified (block 610) by the sociometric ID provider 406 shown in FIG. 4.

As shown in FIG. 7, information about a user's interactions is obtainedby a sociometric ID provider 706 (analogous to the sociometric IDprovider 406 shown in FIG. 4).

For example, sociometric ID provider 706 may send a query asking for adigital signature 701 from a user. This signature is returned, and isused 1) as a starting element for creating the sID described herein, and2) as an ID used to request the sociometric identification document(sID) from the sociometric ID provider 706.

Other activity shown in FIG. 7 is obtained by the sociometric IDprovider 706 to generate the sID. For example, the sociometric IDprovider 706 may query a social media plugin 708 (that supports socialmedia 408 shown in FIG. 4) for a history of the user interacting withone or more social media services, including those accessed by firstsocial media plugin 711 a, second social media plugin 711 b, and/orthird social media plugin 711 c (i.e., social media plugin 708 acts asan intermediary to first social media plugin 711 a, second social mediaplugin 711 b, and/or third social media plugin 711 c).

Similarly, sociometric ID provider 706 may query mobile device(s) 713(analogous to mobile device(s) 313 described in FIG. 3) for mobileactivity data that describes the user's use of mobile devices.

Similarly, sociometric ID provider 706 may query IoT devices (analogousto IoT 305 described in FIG. 3) for a record of the user'sactivity/interaction with the IoT.

Similarly, sociometric ID provider 706 may crawl the web 709 (in orderto obtain the web footprint 309 described in FIG. 3), thus obtaining webdata about the user.

With reference now to FIG. 8, a flowchart depicting a method forcomputing a sociometric ID in accordance with one or more embodiments ofthe present invention is presented.

After initiator block 802, a system (e.g., sociometric ID provider 402introduced in FIG. 4) receives data and sub-identities (e.g.,signatures, personal names, etc.) about a particular user, as describedin block 804. The sociometric ID provider also receives data describingthe user from provider entities. Exemplary provider entities includesocial media 808 (analogous to the social media supported by the socialmedia plugin 708 shown in FIG. 7) as well as first social media 811 a(supported by the first social media plugin 711 a depicted in FIG. 7),second social media 811 b (supported by the second social media plugin711 b depicted in FIG. 7), and third social media 811 c (supported bythe third social media plugin 711 c depicted in FIG. 7). Other providerentities include mobile device(s) 813 (analogous to mobile device(s) 713shown in FIG. 7); IoT 805 (analogous to IoT devices 705 shown in FIG.7); and web footprint 809 (i.e., a footprint created by the userbrowsing on the web 709 shown in FIG. 7).

As described in block 806, the sociometric ID provider 402 thenvalidates the initial ID from the user and the information collectedfrom the provider entities according to a policy 810. For example,policy 810 may state that any data from the provider entities thatcannot be verified will be deleted from the process, and send to invaliddata items 812 (i.e., data that will not be used to construct the sID).

Similarly, policy 810 may state that if a validation error is above acertain level (e.g., Y %), then the identity has a confidence value<1.For example, if less than 90% (Y %) of the data received from theprovider entities is verified as being accurate (i.e., with regard tothe user's interaction with the provider entities), then the entire sIDis suspect, and is labeled as such for future warning to systemresources that are relying on the sID as authorization to access thesystem resources. Thus, the policy 810 defines invalid data items, orproperties of data items that should be treated as valid. For example,if the data contains multiple locations of a single individual at agiven time, then some or all of the data may not belong to theindividual claimed, and is therefore treated as being invalid.Similarly, if the data contains different social security numbers, thenthe data will be treated as invalid.

In one or more embodiments, data retrieved from the provider entities,as well as the sID itself, may be stored at the provider entities in anencrypted form, in order to preserve the security of the sID.

As shown in block 814, an initial sID is computed from sub-identities(e.g., groups of nodes in the interaction graph 501 shown in FIG. 5),the time that interactions occurred between the user and the providerentities, the location of the user when requesting access to a computerresource (which may or may not be one of the provider entities), etc.

As shown in block 816, the system may heuristically learn to reject theinvalid data items 812 in order to create an approximate sID, asdepicted in block 818. That is, if 20% of the data from the providerentities is rejected (due to not passing the data inspection describedin block 806), then it is an approximation sID, which may or may not beused. However, if sufficient data is received from the provider entities(e.g., 95% is deemed accurate), then an uncompromised sID 820 isgenerated.

With reference now to FIG. 9, a high-level flow chart of one or moresteps performed by one or more processors to compute a sociometricidentification document (sID) in accordance with one or more embodimentsof the present invention is provided.

The process begins at initiator block 901 by computing a sub-identityfor a user “u” according to each provider entity (e.g., see FIG. 3)accessed by that user.

As described in block 903, if this is the first time the sID is beingcomputed, the sociometric ID id(u,d) is generated from the staticprofile of the user “u” and other personal information/biometricsprovided for the user “u” for each provider entity “d”. The initial sIDmay be generated by hashing or by signing such data to create theinitial sID.

As described in block 905, neighbors (e.g., nodes 508, 512, 514 ininteraction graph 501 shown in FIG. 5) of the user node (e.g., node 500)are identified.

As described in block 907, a depth-first search (DFS) is used totraverse through the interaction graph. In one or more embodiments, theDFS is performed in a recursive/reproducible manner such as by visitingwith an unvisited neighbor that joined the network earliest. Thesociometric ID of the user is appended to each neighbor node of the usernode. All of these slDs (‘id(u,d)’) for the neighbor nodes are hashed.Their hashed value is then assigned to the hashed/assimilated sID, asdescribed in blocks 909-911. Another embodiment may include a differentmethod, such as computing a digital signature of the appended values, oraggregating the digital signatures.

Thus, when the DFS ends, id(u, d)=hash(id (u,d)∥interactions∥meta-data). That is, the slDs (id (u, d)) for eachsubunit (neighbor nodes “d” to the user node “u”) are hashed with theinteractions (as described in the static and dynamic edges depicted inFIG. 5) and the meta-data derived from these edges.

In one or more embodiments of the present invention, a timestamp T isalso incorporated into the sID, in order to define the lifetime of thesID. Thus, the sID (u, T, g) is computed for the user S(u), according tothe timestamp describing when the user interacted with the variousprovider entities, each for sub-graph g from the interaction graph,and/or any uniform resource identifiers (URIs) and/or cryptograph keys(e.g., public key) associated with provider entities. Thus, as describedin block 913, the sID is computed over (S(u), T, g, number of sources,list of data sources:<name of data source, address URI, public key). Ifsome or all signatures S(d) are non-aggregate signatures or are hashes,then sID(u, T, g) is computed based on (T, number of sources,hash-after-concatenate-over-all-d(S(d), name of data source ‘d’, addressURI)).

With reference now to FIG. 10, a high level flow chart of a process forcomputing, distributing, and verifying an sID in accordance with one ormore embodiments of the present invention is presented.

As in FIG. 3, the system computes the initial ID(u) for the user (block1021) using information from social behavior and footprint 1001, mobiledevice(s) 1013, IoT 1005, educational details 1007, web footprint 1009,handwritten signature 1019, and photograph, biometrics 1017. The systemthen generates the sID, as shown in block 1023.

As shown in block 1025, the system then distributes the sID to the useraccording to an identity policy 1027. There are multiple modes ofdistribution of slDs: to a consumer of the sID, to a service provider,etc.

In one or more embodiments of the present invention, signatures (S(d))are collected from each of the data sources ‘d’ (i.e., the providerentities described herein). If all the signatures S(d) are computedusing an aggregate signature scheme, then the system will aggregate allthe signatures into one signature S(u) for user u. A timestamp T (e.g.,a particular period of time) is the time at which the following step iscarried out:

sID(u,T)←Signature-of-(S(u), T, number of sources, list of datasources:<name of data source, address URI, public key))

If some or all signatures S(d) are non-aggregate signatures or arehashes, then:

sID(u,T)←Signature-of-(T, number of sources,hash-after-concatenate-over-all-d(S(d), name of data source ‘d’, addressURI))

Thus, as shown in block 1029 in FIG. 10, the ID(u) (i.e., the sID forthe user) is provided to the user.

As described in block 1031, the ID(u) is then decomposed into “k” unitsfor each of the provider entities. As described in block 1033, only asubset of these “k” units may be sent to the user, depending on theuser's history, requests, etc.

As described in block 1035, a set of questions may also be sent to theuser in order to verify the sID. For example, assume that the userclaimed 1) a certain level of education at 2) a particular universityand 3) he/she is connected to a certain person on a social mediawebsite. The sociometric system computes a digest of these three claimedfacts and verifies the stored digests against these facts. If thedigests are matched, then the identity is verified, as described inblocks 1037-1041 in FIG. 10.

As described herein in various embodiments of the present invention, auser authenticates on an application (e.g., webpage/portal, mobile app)for sociometric identity. The user may begin by selecting “createidentity” on a user interface, and then selects the “data sources”(e.g., provider entities) from which data would be used to create theidentity, such as “all data sources”, or a subset of data sources suchas certain social media services, certain websites, particular mobiledevices, etc.

The system then determines (from an input from the user or from an‘identity policy’) if the user has a cryptographic key for digitalsignature, and credentials to protect the key (e.g., passwords,biometrics, multi-factor credentials or other credentials). Credentialsand keys are managed by a “Credentials and key management unit”.

If there is no key, the user is asked to confirm that a new key (i.e.,an sID) will be generated.

If the key has expired or needs to be changed based on a credentialspolicy, the application asks the user to confirm re-generation of thekey.

The application asks the user to select from the following twotechniques: 1) the application will pull data from the “data sources”,and/or 2) the application will receive “hashes” or “signatures” of thedata of the user from the “data sources” selected by the user or fromother data sources.

The application then uses an “identity generation component” to generatethe identity bitstring (the sID) for the user. The application storesthe sID in the database.

The application reads the ‘identity policy’ and determines whether todistribute relevant sub-identities to each relevant data source. Ifsub-identities are to be distributed to some or all of the data sources,then for each data source DS, a “sub-identity generator” componentgenerates the sub-identities, which are sent to the respective datasources.

With reference now to FIG. 11, a high level flow chart of one or moresteps performed by one or more embodiments of the present invention togenerate and utilize an sID is presented.

After initiator block 1101, one or more processors (e.g., withinsociometric ID provider 406) identify an interaction between a user andone or more provider entities, as described in block 1103. Examples ofsuch provider entities are shown in FIG. 3, FIG. 10, etc.

As described in block 1105, the one or more processors identify profilesfor the one or more provider entities. For example, the profile of IoT305 in FIG. 3 is that of a group of devices that are able to communicatewith one another regarding their current states. Similarly, the profileof the browser that provided the web footprint 309 is that of a devicethat is able to both crawl and keep a record of crawls through the WorldWide Web. Similarly, the profile of a travel agency or provider thatprovided the transportation/travel footprint 303 is that of a systemthat is able to both make travel reservations and keep a record oftravel. That is, in one or more embodiments, a provider entity mayprovide information that is specific to/for the user. Thus, the profilesfor the one or more provider entities may identify both the nature ofthe type of information/service/resources provided by the providerentities, as well as a record of the user's interactions with theprovider entities.

As described in block 1107, the one or more processors then compute asociometric identity (sID) of the user based on the profiles of the oneor more provider entities with which the user has had an interaction.That is, the sID essentially says “User A is a user who has visitedthese websites, while using this mobile device, and has gone to acertain university”. That is, the sID describes what the user has done.

Once the sID is generated for use for one or more particular computerresources (e.g., servers, storage devices, printers, and/or one or moreof the provider entities that were used to generate the sID), the one ormore processors then transmit the sociometric identity to a networkresource in order to establish a session between the network resourceand a user device used by the user having the sociometric identity, asdescribed in block 1109. That is, the sID is then used to verify theidentity of the person attempting to re-access the provider entities (oreven another computer system that is different from the providerentities) is whom the user says he/she is.

The flowchart ends at terminator block 1111.

In one or more embodiments of the present invention, one or moreprocessors identify a time period in which the interaction between theuser and the provider entity(ies) occurred. This time period may be aparticular period of time (e.g., from January 2020 through December2020), or it may be a length of time (e.g., 30 days, regardless of thedates that these 30 days occurred in). The processor(s) then limit alifetime of the sociometric identity based on the time period in whichthe interaction occurred. For example, if the user has a history ofaccessing a particular website during the past year, then the sID usedto re-access that website may be perishable, such that it can only beused for the next month.

In one or more embodiments of the present invention, one or moreprocessors recursively examine the profiles for the one or more providerentities until the sociometric identifier is confirmed for the user. Forexample, assume that the sID described herein was based on a useraccessing a certain website. Assume now that the system wants to bolsterthe sID based on the user visiting other websites. If the user visitedenough websites, then that user is confirmed as a routine visitor towebsites, and his/her sID is confirmed as that of a website visitor.

In one or more embodiments of the present invention, one or moreprocessors construct an interaction graph, such as the interaction graph501 shown in FIG. 5. As described herein, the interaction graph includesa user node 500 for the user linked to provider entity nodes (508, 512,514) for the one or more provider entities. As depicted in FIG. 5, theuser node and the one or more provider entity nodes are connected bypairs of static edges 503 a-503 c and dynamic edges 505 a-505 c. Thestatic edges include static metadata that describes a relationshipbetween the user node and the one or more provider entity nodes, and thedynamic edges include dynamic metadata that describes actions andinteractions between the user and the one or more provider entities. Theone or more processors then perform a depth-first search of theinteraction graph in order to traverse all nodes on the interactiongraph. Thereafter, the one or more processors hash the sociometricidentity (sID) with the static metadata and the dynamic metadata for allnodes on the interaction graph in order to create a sociometric identityhash value. The sociometric identity hash value identifies a location ina sociometric identity table at which the sociometric identity of theuser is to be stored. The one or more processors then store thesociometric identity of the user at the location in the sociometricidentity table, for quick and efficient future retrieval.

In one or more embodiments, the interaction graph is partitioned, by oneor more processors, into multiple digests. For example, a first digestincludes the user node and a first set of provider entity nodes, and asecond digest may include the user node and a second set of providerentity nodes. One or more processors then compare the first digest tothe second digest, in order to determine a percentage of matching staticand dynamic metadata between the first digest and the second digest. Inresponse to the percentage of matching static and dynamic metadatabetween the first digest and the second digest exceeding a predefinedvalue, then the processors confirm the sociometric identity of the useras a confirmed sociometric identity of the user. That is, if thestatic/dynamic edges between the user node and multiple provider entitynodes match, then the sID is confirmed as being based on accurate andmeaningful data regarding the relationship between the user and theprovider entities. The processors then store the sociometric identity ofthe user in a digest store, which utilizes a key value pair table toassociate the confirmed sociometric identity of the user with the firstdigest. That is, the system can then quickly retrieve the sID when theuser desires to re-access the provider entity found in the first digest(partition) depicted in the interaction graph.

In various embodiments of the present invention, at least one of theprovider entities is a social network provider; at least one of theprovider entities is an Internet of Things (IoT) record server; etc.

In various embodiments of the present invention, the interaction betweenthe user and the one or more provider entities is a social connection ofthe user and another user; a purchase of a product from a provider; apurchase of a service from a provider; and/or emails exchanged by theuser with other email users.

In one or more embodiments of the present invention, one or moreprocessors store and retrieve slDs using a hash of an interactiontriplet in order to expedite and make more efficient retrieval of theslDs. That is, one or more processors create a hash of an interactiontriplet for the interaction between the user and the one or moreprovider entities, where the hash is a hashing of a name of the user, asubject of the interaction with the one of more provider entities, and adate of the interaction with the one or more provider entities. The oneor more processors then store the hash in a table of hashed interactiontriplets for future retrieval of a hashed interaction triplet for theuser in response to the user requesting access to the network resource.That is, the hashed interaction triplet provides a pointer to the sIDneeded to access that particular network resource.

In one or more embodiments of the present invention, the method(s)described herein are implemented as a cloud-based service (describedbelow).

The present invention may be implemented in one or more embodimentsusing cloud computing. Nonetheless, it is understood in advance thatalthough this disclosure includes a detailed description on cloudcomputing, implementation of the teachings recited herein is not limitedto a cloud computing environment. Rather, embodiments of the presentinvention are capable of being implemented in conjunction with any othertype of computing environment now known or later developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 12, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing devices used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 54A-54Nshown in FIG. 12 are intended to be illustrative only and that computingnodes 10 and cloud computing environment 50 can communicate with anytype of computerized device over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 13, a set of functional abstraction layersprovided by cloud computing environment 50 (FIG. 12) is shown. It shouldbe understood in advance that the components, layers, and functionsshown in FIG. 13 are intended to be illustrative only and embodiments ofthe invention are not limited thereto. As depicted, the following layersand corresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 61; RISC(Reduced Instruction Set Computer) architecture based servers 62;servers 63; blade servers 64; storage devices 65; and networks andnetworking components 66. In some embodiments, software componentsinclude network application server software 67 and database software 68.

Virtualization layer 70 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers71; virtual storage 72; virtual networks 73, including virtual privatenetworks; virtual applications and operating systems 74; and virtualclients 75.

In one example, management layer 80 may provide the functions describedbelow. Resource provisioning 81 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 82provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 83 provides access to the cloud computing environment forconsumers and system administrators. Service level management 84provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 85 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 90 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 91; software development and lifecycle management 92; virtualclassroom education delivery 93; data analytics processing 94;transaction processing 95; and device session management 96, whichperforms one or more of the features of the present invention describedherein.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the presentinvention. As used herein, the singular forms “a”, “an” and “the” areintended to include the plural forms as well, unless the context clearlyindicates otherwise. It will be further understood that the terms“comprises” and/or “comprising,” when used in this specification,specify the presence of stated features, integers, steps, operations,elements, and/or components, but do not preclude the presence oraddition of one or more other features, integers, steps, operations,elements, components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of various embodiments of the present invention has beenpresented for purposes of illustration and description, but is notintended to be exhaustive or limited to the present invention in theform disclosed. Many modifications and variations will be apparent tothose of ordinary skill in the art without departing from the scope andspirit of the present invention. The embodiment was chosen and describedin order to best explain the principles of the present invention and thepractical application, and to enable others of ordinary skill in the artto understand the present invention for various embodiments with variousmodifications as are suited to the particular use contemplated.

Any methods described in the present disclosure may be implementedthrough the use of a VHDL (VHSIC Hardware Description Language) programand a VHDL chip. VHDL is an exemplary design-entry language for FieldProgrammable Gate Arrays (FPGAs), Application Specific IntegratedCircuits (ASICs), and other similar electronic devices. Thus, anysoftware-implemented method described herein may be emulated by ahardware-based VHDL program, which is then applied to a VHDL chip, suchas a FPGA.

Having thus described embodiments of the present invention of thepresent application in detail and by reference to illustrativeembodiments thereof, it will be apparent that modifications andvariations are possible without departing from the scope of the presentinvention defined in the appended claims.

What is claimed is:
 1. A method comprising: identifying, by one or moreprocessors, an interaction between a user and one or more providerentities; identifying, by one or more processors, profiles for the oneor more provider entities; computing, by one or more processors, asociometric identity of the user based on the profiles for the one ormore provider entities with which the user has had an interaction; andtransmitting, by one or more processors, the sociometric identity to anetwork resource in order to establish a session between the networkresource and a user device used by the user having the sociometricidentity.
 2. The method of claim 1, further comprising: identifying, byone or more processors, a time period in which the interaction occurred,wherein the time period identifies a particular period of time; andlimiting, by one or more processors, a lifetime of the sociometricidentity based on the time period in which the interaction occurred. 3.The method of claim 1, further comprising: identifying, by one or moreprocessors, a length of time during which the interaction occurred,wherein the length of time is not restricted to any particular period oftime; and limiting, by one or more processors, a lifetime of thesociometric identity based on the length of time during which theinteraction occurred.
 4. The method of claim 1, further comprising:recursively examining, by one or more processors, the profiles for theone or more provider entities until the sociometric identity isconfirmed for the user.
 5. The method of claim 1, further comprising:constructing, by one or more processors, an interaction graph, whereinthe interaction graph comprises a user node for the user linked to oneor more provider entity nodes for the one or more provider entities,wherein the user node and the one or more provider entity nodes areconnected by pairs of static edges and dynamic edges, wherein the staticedges include static metadata that describes a relationship between theuser node and the one or more provider entity nodes, and wherein thedynamic edges include dynamic metadata that describes actions andinteractions between the user and the one or more provider entities;performing, by one or more processors, a depth-first search of theinteraction graph in order to traverse all nodes on the interactiongraph; hashing, by one or more processors, the sociometric identity withthe static metadata and the dynamic metadata for all nodes on theinteraction graph in order to create a sociometric identity hash value,wherein the sociometric identity hash value identifies a location in asociometric identity table at which the sociometric identity of the useris to be stored; and storing, by one or more processors, the sociometricidentity of the user at the location in the sociometric identity table.6. The method of claim 1, wherein at least one of the provider entitiesis a social network provider.
 7. The method of claim 1, wherein at leastone of the provider entities is an Internet of Things (IoT) recordserver.
 8. The method of claim 1, wherein the interaction is a socialconnection of the user and another user.
 9. The method of claim 1,wherein the interaction is a purchase of a product from a provider. 10.The method of claim 1, wherein the interaction is a purchase of aservice from a provider.
 11. The method of claim 1, wherein theinteraction is described in a list of emails exchanged by the user. 12.The method of claim 1, further comprising: creating, by one or moreprocessors, a hash of an interaction triplet for the interaction betweenthe user and the one or more provider entities, wherein the hash is ahashing of a name of the user, a subject of the interaction with the oneor more provider entities, and a date of the interaction with the one ormore provider entities; storing, by one or more processors, the hash ina table of hashed interaction triplets; and retrieving, by one or moreprocessors, a hashed interaction triplet for the user in response to theuser requesting access to the network resource.
 13. The method of claim1, further comprising: constructing, by one or more processors, aninteraction graph, wherein the interaction graph comprises a user nodefor the user linked to one or more provider entity nodes for the one ormore provider entities, wherein the user node and the one or moreprovider entity nodes are connected by pairs of static edges and dynamicedges, wherein the static edges include static metadata that describes arelationship between the user node and the one or more provider entitynodes, and wherein the dynamic edges include dynamic metadata thatdescribes actions and interactions between the user and the one or moreprovider entities; partitioning, by one or more processors, theinteraction graph into multiple digests, wherein a first digestcomprises the user node and a first set of provider entity nodes, andwherein a second digest comprises the user node and a second set ofprovider entity nodes; comparing, by one or more processors, the firstdigest to the second digest, wherein comparing the first digest to thesecond digest determines a percentage of matching static and dynamicmetadata between the first digest and the second digest; in response tothe percentage of matching static and dynamic metadata between the firstdigest and the second digest exceeding a predefined value, confirming,by one or more processors, the sociometric identity of the user as aconfirmed sociometric identity of the user; and storing, by one or moreprocessors, the sociometric identity of the user in a digest store,wherein the digest store utilizes a key value pair table to associatethe confirmed sociometric identity of the user with the first digest.14. The method of claim 1, wherein the sociometric identity is providedby an identity provider server.
 15. The method of claim 1, wherein themethod is implemented as a cloud-based service.
 16. A computer programproduct comprising one or more computer readable storage mediums, andprogram instructions stored on at least one of the one or more storagemediums, the stored program instructions comprising: programinstructions to identify an interaction between a user and one or moreprovider entities; program instructions to identify profiles for the oneor more provider entities; program instructions to compute a sociometricidentity of the user based on the profiles of the one or more providerentities with which the user has had an interaction; and programinstructions to transmit the sociometric identity to a network resourcein order to establish a session between the network resource and a userdevice used by the user having the sociometric identity.
 17. Thecomputer program product of claim 16, further comprising: programinstructions to identify a length of time during which the interactionoccurred, wherein the length of time is not restricted to any particularperiod of time; and program instructions to limit a lifetime of thesociometric identity based on the length of time during which theinteraction occurred.
 18. The computer program product of claim 16,further comprising: program instructions to construct an interactiongraph, wherein the interaction graph comprises a user node for the userlinked to one or more provider entity nodes for the one or more providerentities, wherein the user node and the one or more provider entitynodes are connected by pairs of static edges and dynamic edges, whereinthe static edges include static metadata that describes a relationshipbetween the user node and the one or more provider entity nodes, andwherein the dynamic edges include dynamic metadata that describesactions and interactions between the user and the one or more providerentities; program instructions to perform a depth-first search of theinteraction graph in order to traverse all nodes in the interactiongraph; program instructions to hash the sociometric identity with thestatic metadata and the dynamic metadata for all nodes in theinteraction graph in order to create a sociometric identity hash value,wherein the sociometric identity hash value identifies a location in asociometric identity table at which the sociometric identity of the useris to be stored; and program instructions to store the sociometricidentity of the user at the location in the sociometric identity table.19. The computer program product of claim 16, wherein the programinstructions are provided as a service in a cloud environment.
 20. Asystem comprising: one or more processors; one or more computer readablememories operably coupled to the one or more processors; one or morecomputer readable storage mediums operably coupled to the one or morecomputer readable memories; and program instructions stored on at leastone of the one or more computer readable storage mediums for executionby at least one of the one or more processors via at least one of theone or more computer readable memories, the program instructionscomprising: program instructions configured to identify an interactionbetween a user and one or more provider entities; program instructionsconfigured to identify profiles for the one or more provider entities;program instructions configured to compute a sociometric identity of theuser based on the profiles of the one or more provider entities withwhich the user has had an interaction; and program instructionsconfigured to transmit the sociometric identity to a network resource inorder to establish a session between the network resource and a userdevice used by the user having the sociometric identity.